La Privacy e Cybersec per le aziende
Osservatorio a cura del dott. V. Spataro privacy, formulari, check up per WordPress

   demo 2023-11-02 ·  NEW:   Appunta · Stampa · pdf

Digivo, sms, marketing, consent, legitimate interest


Documento annotato il 02.11.2023 Fonte:


L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni



Eestimated reading time: 23 min 1 DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMA ...


Testo riservato. Per iscriversi:
all'Osservatorio - al Podcast (30 gg gratuito)

ime: 23 min 1 DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Digivo Media Limited Of: Office One, 1 Coldbath Square, London, EC1R 5HL 1. The Information Commissioner (“the Commissioner”) has decided to issue Digivo Media Limited (“Digivo”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in relation to a serious contravention of Regulation 22 of the ....... and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. This notice explains the Commissioner’s decision. Legal framework 3. Digivo, whose registered office is given above (Companies House Registration Number: 12806848) is the organisation stated in this notice to have transmitted and instigated the transmission of unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of .... states: 3 5. Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct marketing as “ the communication (by whatever means) of advertising or marketing material which is directed to particular individuals ”. This definition also applies for the purposes of .... (see regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 6. From 1 January 2021, ....... .. .... has been defined by reference to the concept of ....... .. ... .. .... as defined in section 3(10) of the ... 2018 [1] : see regulation 2(1) of PECR, as amended by Part 3 of Schedule 3, paragraph 44 of The Data Protection, ....... and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419. Article 4(11) of the UK .... sets out the following definition: “ ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the .......... of personal data relating to him or her ”. 7. “Individual” is defined in regulation 2(1) of .... as “a living individual and includes an unincorporated body of such individuals ”. 8. A “subscriber” is defined in regulation 2(1) of .... as “ a person who is a party to a contract with a provider of public electronic communications services for the supply of such services ”. 9. “Electronic mail” is defined in regulation 2(1) of .... as “ any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the [1] The UK .... is therein defined as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. 4 recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service ”. 10. The term "soft opt-in" is used to describe the rule set out in in Regulation 22(3) of PECR. In essence, an organisation may be able to e-mail its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details. 11. Section 55A of the ... (.. ....... .. .... cases by Schedule 1 to PECR, as variously amended) states: “(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that – (a) there has been a serious contravention of the requirements of the ....... and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person – (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention.” 12. The Commissioner has issued statutory guidance under section 55C (1) of the ... about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must 5 not exceed £500,000. 13. .... were enacted to protect the individual’s fundamental right to privacy in the electronic communications sector. .... were subsequently amended and strengthened. The Commissioner will interpret .... in a way which is consistent with the Regulations’ overall aim of ensuring high levels of protection for individuals’ ....... rights. 14. The provisions of the ... ...... .. ..... ... ... ........ .. .... notwithstanding the introduction of the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 15. Digivo was incorporated on 11 August 2020 and the registered address is Office One, 1 Coldbath Square, London, EC1R 5HL. There is one director appointed, Sebastian Powdrill. 16. Digivo trades as Rid My Debt. Individuals use the Rid My Debt website to help find debt solutions by inputting their personal information and details of their outstanding debts; their information is then passed to Digivo’s panel of debt service finders and providers so that these third parties can offer debt management solutions. 17. Mobile users can report the receipt of unsolicited marketing text messages to the Mobile UK’s Spam Reporting Service by forwarding the 6 message to 7726 (spelling out “SPAM”). Mobile UK is an organisation that represents the interests of mobile operators in the UK. The Commissioner is provided with access to the data on complaints made to the 7726 service and this data is used to ascertain organisations in breach of PECR. 18. Digivo came to the ICO’s attention following a review of debt management complaints received via the SPAM reporting tool. 19. Complaints research by the Commissioner indicated that 943 spam text reports about Digivo had been submitted to 7726, as well as one complaint submitted to the ... directly. The text message scripts were as follows: NAME, new laws mean you can write off debts you cannot afford to repay. Stop creditor action. for FREE pack. STOP?07520648329 NAME, credit records show you can write off 75% of your debt. Freeze Interest. Visit for FREE advice. STOP?07520648329 20. These messages constituted marketing as they encouraged individuals to go to the Rid My Debt website to get a “free pack” or “free advice”, which represented the promotion of Digivo’s products and services through the Rid My Debt website. 21. On 8 September 2021, an investigation letter was sent to Digivo via email. The letter outlined the Commissioner’s concerns about compliance with the PECRs, and the powers available to the ICO. It also asked a range of questions, including the volume of marketing 7 messages sent and delivered over the period 7 September 2020 to 7 September 2021, the source of the data, and evidence of ....... relied on by Digivo to send the marketing messages. An index of the 944 complaints was also provided and Digivo was asked to provide an explanation for the complaints. 22. On 29 September 2021, Sebastian Powdrill, sole director of Digivo, provided a response to the investigation letter. He stated that:  479,017 text messages had been sent, of which 415,041 had been delivered, over the period 7 September 2020 to 7 September 2021.  Digivo was both the instigator and the sender of the text messages.  Personal data was obtained from Digivo’s website,; no other sources were used.  The text messages were sent with the purpose of legitimate interest relating to debt concern.  Digivo relied on a check box which data subjects must tick for consent to contact the individuals by text message.  Digivo had an SMS schedule where once a week customers who expressed their ....... would be messaged in the interests of re-marketing. 23. The Commissioner notes this response did not make it clear what justification Digivo were relying on to send the marketing messages, since both ....... and legitimate interests were referenced. Mr Powdrill stated that Digivo sent the data “with the purpose of legitimate interest” but also that the data collection box includes “a check box where the customer agrees to give their ....... to receive email, SMS and telephone communication”. 8 24. When the Commissioner examined Divigo's ....... policy, it appeared that Digivo relied on consent: “You will receive marketing communications from us if you have consented to received (sic) information for products and services from us.” 25. In Digivo's response it was confirmed that marketing text messages were first sent on 24 March 2021. The start of the contravention period was necessarily adjusted from 7 September 2020 to 24 March 2021. The full contravention period is therefore 24 March 2021 to 7 September 2021, a period of just under six months. 26. Digivo also stated: “We only send out marketing communication in alignment with legitimate interests, this way we can ensure the customer only sees what service they are interested in.” 27. From this response it appeared that Digivo relied on legitimate interests to send marketing messages, which contrasts with the information provided to individuals in Digivo’s ....... policy. However, in order to send the marketing messages in compliance with Regulation 22, Digivo would need to have relied on ....... or the soft opt-in. 28. Digivo provided a screenshot of the data collection form relied on to justify sending marketing messages to data subjects. However, this form asked individuals to “agree”, rather than giving individuals the option to opt out. Digivo stated: 9 “The customer agrees to give their ....... to receive email, SMS and telephone communication and agrees to our ....... policy and our terms and conditions.” 29. The Commissioner asked Digivo whether customers would be able to click the “write off my debt!” box without ticking the “I agree” tick box. Initially, Digivo stated: “It was always the case that you could submit an application without ticking the tick box. However, upon checking this again now I can see it won’t let you submit the form without ticking the box." 30. Further, Digivo explained: “There is no way someone buying that lead can provide their debt solution service without that box being ticked i.e. being able to contact the customer." 31. Therefore, it appeared that whilst the tick box asked individuals to consent to being contacted by a trusted debt solution provider, it did not actually give customers any other choice but to consent. As such, any ....... ........ .. .... ... ... ......., .. ... ....... had been made a pre-condition of service and customers were not given any genuine choice. 32. With regards to the volume of text messages sent and delivered in contravention of the PECR, Digivo explained that: “At the point of application we will not make any contact to the applicant only our partners will contact them directly. 10 The messages sent only relate to marketing only and not transactional.” 33. This indicated that, of the 479,017 messages sent, none of those were solicited messages sent directly in response to the submission of a loan application; nor were any of the messages included in this figure service messages. 34. Therefore, the Commissioner was able to conclude that 479,017 unsolicited marketing messages were sent in contravention of the .... over the course of just under six months, of which 415,041 were delivered. 35. Following further investigation into various types of trading styles in the industry, a link was found between Digivo and the trading style ' '. Digivo confirmed this: “We have a relationship with […] We used this sender name because we felt like it gave the simplest description on what service we offer.” 36. Digivo confirmed that the messages were included in the volume of messages described in paragraph 34, so this volume did not increase. There were 452 ‘ ’ complaints over the contravention period, increasing the total number of complaints received to 1,396. 37. The Commissioner has made the above findings of fact on the balance of probabilities. 38. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of .... by Digivo and, if so, whether the conditions of section 55A ... are satisfied. 11 The contravention 39. The Commissioner finds that Digivo contravened regulation 22 of PECR. 40. The Commissioner finds that the contravention was as follows: 41. The Commissioner finds that between 24 March 2021 and 7 September 2021 there were 415,041 direct marketing SMS received by individuals. The Commissioner finds that Digivo transmitted and instigated the transmission of those direct marketing messages, contrary to regulation 22 of PECR. 42. Digivo, as the sender and instigator of the direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR, and to ensure that valid ....... to send those messages had been acquired. 43. For ....... to be valid it is required to be “freely given”, by which it follows that if ....... to marketing is a condition of subscribing to a service, the organisation will have to demonstrate how the ....... can be said to have been given freely. Digivo relied on a statement which must be ticked to proceed with the application, meaning that the consent obtained was not freely given. 44. ....... is also required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. In this instance, the statement asked individuals to ....... to receiving email, telephone, and SMS, with no option to pick between the communication channels. This meant the ....... obtained by Digivo was not specific. 12 45. ....... will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a ....... ...... .. ..... ...... ....... will not be valid if individuals are asked to agree to receive marketing from “similar organisations”, “partners”, “selected third parties” or other similar generic description. In this instance, the statement does not reference marketing at all and only stated that individuals would be contacted by third party debt solution providers, not that the individual would receive further contact from Digivo, so the ....... obtained was not informed. 46. With regards to relying on the soft opt-in, Digivo would have needed to provide individuals with the chance to opt out of future marketing at the point of collecting their personal data; this opportunity was not provided, therefore Digivo were unable to rely on the soft opt-in to justify sending unsolicited marketing messages. 47. The Commissioner is therefore satisfied from the evidence he has seen that Digivo did not have the necessary valid ....... for the 415,041 direct marketing messages received by individual subscribers. 48. The Commissioner has gone on to consider whether the conditions under section 55A ... are met. Seriousness of the contravention 49. The Commissioner is satisfied that the contravention identified above was serious. This is because, between 24 March 2021 and 7 13 September 2021, a confirmed total of 415,041 direct marketing messages were sent by Digivo and received by individual subscribers. These messages contained direct marketing material for which individual subscribers had not provided valid consent. Furthermore, the Commissioner is satisfied that Digivo cannot rely on the soft opt-in exemption. 50. Additionally, the Commissioner considers the contravention “serious” because in Digivo’s response to the investigation letter, a copy of the current ........ was provided, which contained 22,214 separate records. Digivo stated that they sent marketing on a weekly basis to those who had “consented”, which is likely to mean every customer who applied using the RidMyDebt website, given that they were unable to submit an application without checking the box that Digivo relied on as consent. This means there is the potential that 22,214 unsolicited marketing messages were being sent each week, or 1,155,128 per year. 51. Further, the contravention is serious due to the fact that 1,396 complaints were submitted during the contravention period, including one to the ICO’s online reporting tool. Additionally, a further 202 complaints were submitted to the 7726 spam text reporting tool since the end date of the contravention period and up to 18 May 2022. These complaints appear to involve the same scripts as provided to the Commissioner during the investigation period. 52. The Commissioner is therefore satisfied that condition (a) from section 55A(1) ... is met. 14 Deliberate or negligent contraventions 53. The Commissioner has considered whether the contravention identified above was deliberate. In the Commissioner’s view, this means that actions which constituted that contravention were deliberate actions (even if Digivo did not actually intend thereby to contravene PECR). 54. The Commissioner considers that in this case Digivo did deliberately contravene regulation 22 of PECR. This is because:  Digivo appeared to have a connection to , indicated via the apparent copying of their website format.  Digivo’s probable connection with other affiliated companies within the sub-prime market.  The volume of subsequent complaints submitted during and post investigation period. 55. For the above reasons, the Commissioner is satisfied that this breach was deliberate. 56. Further and in the alternative, the Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 57. Firstly, he has considered whether Digivo knew or ought reasonably to have known that there was a risk that these contraventions would occur. He is satisfied that this condition is met on the basis that the organisation and director should have been aware of their responsibilities to comply with the relevant legislation. 15 58. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of ....... for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations can generally only send, or instigate, marketing messages to individuals if that person has specifically consented to receiving them. The guidance also provides a full explanation of the soft opt-in exemption. The Commissioner has also published detailed guidance on consent under the GDPR. In case organisations remain unclear on their obligations, the ... ........ . ......... ......... ... communications about previous enforcement action where businesses have not complied with .... are also readily available. 59. It is therefore reasonable to suppose that Digivo should have been aware of their responsibilities in this area. 60. Secondly, the Commissioner has gone on to consider whether Digivo failed to take reasonable steps to prevent the contraventions. Again, he is satisfied that this condition is met. 61. The ... produces clear guidance via its website on the rules of direct marketing. In addition, the ... operates a helpline should organisations require further clarification or assistance with specific enquiries. Should Digivo have any questions regarding their direct marketing techniques, it would have been reasonable to consult these resources. 62. Further, it is clear that, at the point of being notified of the Commissioner's investigation, Digivo were aware of risks. The 16 subsequent volume of complaints following this point in time illustrates the organisation failed to take reasonable steps to avoid further contraventions. 63. In the circumstances, the Commissioner is satisfied that Digivo failed to take reasonable steps to prevent the contraventions. 64. The Commissioner is therefore satisfied that condition (b) from section 55A (1) ... is met. The Commissioner’s decision to issue a monetary penalty 65. The Commissioner has taken into account the following aggravating feature of this case:  Of the individuals involved, there will have likely been a proportion of subscribers in receipt of marketing texts who are financially vulnerable. The Panel are min dful that some debt management options are not always in the best interests of those suffering financial hardship. 66. The Commissioner found no mitigating factors. 67. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A (1) ... have been met in this case. He is also satisfied that the procedural rights under section 55B have been complied with. 68. The latter has included the issuing of a Notice of Intent, dated 25 May 2023, in which the Commissioner set out his preliminary thinking. In reaching his final view, the Commissioner has taken into account the representations made by Digivo on this matter. 17 69. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 70. The Commissioner has considered whether, in the circumstances, he should exercise his discretion so as to issue a monetary penalty. 71. The Commissioner has considered the likely impact of a monetary penalty on Digivo. In doing so, the Commissioner has given careful consideration to the representations made by Digivo in response to the Notice of Intent. However, the Commissioner has decided that a penalty nevertheless remains the appropriate course of action in the circumstances of this case. 72. The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically ....... to receive direct marketing. 73. In making his decision, the Commissioner has also had regard to the factors set out in s108(2)(b) of the Deregulation Act 2015; including: the nature and level of risks associated with non-compliance, including the risks to economic growth; the steps taken by the business to achieve compliance and reasons for its failure; the willingness and ability of the business to address non-compliance; the likely impact of the proposed intervention on the business, and the likely impact of the 18 proposed intervention on the wider business community, both in terms of deterring non-compliance and economic benefits to legitimate businesses. 74. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. The amount of the penalty 75. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £50,000 (fifty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 76. The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 2 November 2023 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England. 77. If the Commissioner receives full payment of the monetary penalty by 1 November 2023 the Commissioner will reduce the monetary penalty by 20% to £40,000 (forty thousand pounds) . However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 78. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) the imposition of the monetary penalty 19 and/or; (b) the amount of the penalty specified in the monetary penalty notice. 79. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 80. Information about appeals is set out in Annex 1. 81. The Commissioner will not take action to enforce a monetary penalty unless:  the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid;  all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and  the period for appealing against the monetary penalty and any variation of it has expired. 82. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. 20 Dated the 3 rd day of October 2023 Andy Curry Head of Investigations Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 21 ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(5) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ 22 Telephone: 0203 936 8963 Email: a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 23 and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in section 55B(5) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)).


Testo del 2023-11-02 Fonte:


i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.

Ricevi gli aggiornamenti su Digivo, sms, marketing, consent, legitimate interest e gli altri post del sito:

Email: (gratis Info privacy)

Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza